DISA STIG Updates - 27 July 2018
================================================================================
$Id: README,v 1.10 2018/07/30 17:28:37 amanninen Exp $
README for NetMRI STIG Policy Release 27 July 2018
================================================================================
This package will update the DISA STIG Policies and Policy Rules on a given
NetMRI to the STIG libraries released on 27 July 2018, (SRG-STIG Library - NON-FOUO).
The STIGs included are:
STIG Firewall Version 8 Release 25
STIG Infrastructure Layer 2 Switch Version 8 Release 25
STIG Infrastructure Layer 3 Switch Version 8 Release 27
STIG Infrastructure Router Version 8 Release 27
STIG Network Devices Version 8 Release 22
STIG Perimeter Layer 3 Switch Version 8 Release 30
STIG Perimeter Router Version 8 Release 30
The installation program will update existing rules on the device based on the
title of the existing rules; if the program cannot find the rule that is being
updated, it will create the new rule(s) from the latest STIG libraries. It will
also prune rules that are no longer needed that have been found on the device.
INSTALLATION
============
See the accompanying file INSTALL.
CHANGES SINCE 20180427
======================
NET-VLAN-024
Added an exception in Check content to allow HBSS RSD traffic to egress the
printer VLAN.
NET-NAC-009
Included the allowance for MAC Authentication Bypass and remove downgrade to
a CAT III.
NET0987
Changed "rouiter" in vul discussion to "router".
NET1640
Split into NET1640E and NET1640I. -- Updated Check content to require
logging of logon attempts via console and aux ports.
NET-SRVFRM-003
Updated Check content so that the firewall is in collaboration with
filtering provided by L3 switch.
CHANGES SINCE 20180126
======================
NET0405
Added the following note to the check content: This feature can be enabled
if the communication is only to a server residing in the local area
network or enclave.
NET0465
Changed the check content to state the following: Authorized accounts should
have the least privilege levels unless deemed necessary for assigned duties.
CHANGES SINCE 20171028
======================
NET0813
Added exception to allow downgrading to a CAT III if using MD5 for NTP
authentication. Removed references to PKI.
NET1615
Changed CHAP to EAP. Removed Responsibility.
CHANGES SINCE 20170727
======================
NET0740
Updated discussion section and check content to clarify the difference
between enabling HTTP and HTTPS services for administrative access.
NET0760
Updated check to allow for Configuration auto-loading when connected to an
operational network.
CHANGES SINCE 20170428
======================
NET0190
Rule deleted -- Check was removed as it was no longer relevant and does not
provide any security advantage.
NET0377
Updated Description and Check Content.
NET0422
Updated Description and Check Content.
NET0425
Updated Description and Check Content.
NET1638
Updated Cisco Check Content section example.
NETMCAST020
Rule deleted -- Check was removed as it was no longer relevant and does not
provide any security advantage.
CHANGES SINCE 20170403
======================
Brocade/Foundry has been added to Network Devices, Infrastructure Layer 2, and
Infrastructure Layer 3 Policies.
Rules affected
--------------
NET-IPV6-025
NET-IPV6-034
NET-IPV6-59
NET-NAC-001
NET-NAC-004
NET-NAC-009I
NET-NAC-010
NET-NAC-012
NET-TUNL-012
NET-TUNL-17
NET-VLAN-002
NET-VLAN-004
NET-VLAN-006
NET-VLAN-007
NET-VLAN-008
NET-VLAN-023
NET-VLAN-024
NET-VLAN009I
NET0230
NET0240
NET0408
NET0422
NET0431
NET0432
NET0433
NET0434
NET0435
NET0436
NET0437
NET0438
NET0440E
NET044IE
NET0460
NET0465v8
NET0470
NET0600
NET0700
NET0720
NET0722
NET0724
NET0726
NET0730
NET0740
NET0750
NET0760
NET0770
NET0790
NET0812
NET0813
NET0814
NET0815
NET0816
NET0817
NET0819
NET0820a
NET0890a
NET0894
NET0897I
NET0898I
NET0899I
NET0900I
NET0901I
NET0902
NET0903I
NET0949
NET0966
NET0985
NET0986
NET0988
NET0989
NET0990v8
NET0991
NET0992
NET0993
NET0994
NET0995
NET0996
NET0997
NET1000v8
NET1003
NET1004
NET1006
NET1020
NET1021
NET1022
NET1023
NET1027
NET1030
NET1071
NET1623E
NET1624
NET1637
NET1638
NET1639
NET1640
NET1645E
NET1646E
NET1647
NET1660
NET1665E
NET1675
NET1710
NET1720
NET1731
NET1733
NET1734
NET1750
NET1760
NET1762
NET1807
NET1808
NETMCAST001
NETMCAST002
NETMCAST010
NETSRVFRM003
NETSRVFRM004
CHANGES SINCE 20170208
======================
CAT II and III STIGs have been updated for F5 and Juniper devices.
NET0162
Check Content in description has been updated.
NET0164
Check Content in description has been updated.
NET0166
Check Content in description has been updated.
NET0167
Check Content in description has been updated.
NET0378
Rule created. The Policy Rule will fail if a given Firewall is listening
on port 23 or 1467.
NET0710
Rule has been updated to check if LLDP is included in the global
configuration and as such is no-longer a Cisco-only Policy Rule. Cisco devices
should still check to ensure that they are not using CDP globally as well as
LLDP.
Updated Policy Rule Names
-------------------------
NET-IPV6-004
NET-IPV6-005
NET-IPV6-006
NET-IPV6-008
NET-IPV6-010
NET-IPV6-011
NET-IPV6-016
NET-IPV6-017
NET-IPV6-024
NET-IPV6-025
NET-IPV6-026
NET-IPV6-027
NET-IPV6-028
NET-IPV6-029
NET-IPV6-030
NET-IPV6-031
NET-IPV6-032
NET-IPV6-033
NET-IPV6-034
NET-IPV6-035
NET-IPV6-047
NET-IPV6-048
NET-IPV6-060
NET-IPV6-061
NET-IPV6-062
NET-IPV6-063
NET-IPV6-064
NET-TUNL-001
NET-TUNL-002
NET-TUNL-003
NET-TUNL-004
NET-TUNL-006
NET-TUNL-007
NET-TUNL-019
NET-TUNL020E
NET-TUNL020I
NET0366
NET0375
NET0377
NET0379
NET0380
NET0386
NET0388
NET0390
NET0391
NET0392
NET0395
NET0396
NET0398
NET0410
NET0412
NET0422
NET0728
NET0745
NET0780
NET0800
NET0892
NET0910
NET0911
NET0912
NET0918
NET0920
NET0921
NET0923
NET0924
NET0926
NET0927
NET0950
NET0960
NET0993
NET1001
NET1006
NET1288
NET1289
NET1300
NET1780
NET1807
NET1808
NET1970
NETMCAST009
CHANGES SINCE 20170131
======================
NET-IPV6-004
Added Palo Alto logic. The Policy Rule will fail if there are any router-
advertisement fields enabled in the configuration file.
NET-IPV6025E
Added Palo Alto logic. The Policy Rule will fail if any FEC0::/10 ipv6
addresses are defined.
NET-NAC-001
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET-NAC-004
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET-NAC-010
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET0386
Added Palo Alto logic. The Policy Rule will pass if the alerts disk-quota is
<=75%, otherwise it will raise an Info.
NET0405
Removed Palo Alto from the SetFilter. Although there is an external
reporting system on PAN devices, they do not contain configuration
information.
NET0422
Removed Palo Alto from the SetFilter. PAN devices cannot be configured to
have key chaining like Cisco products.
NET0431
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET0432
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET0437
Added Palo Alto logic. The Policy Rule will pass if there is no RADIUS
settings configured.
NET1629I
Could not determine a way to disable the MGT port from within the
configuration file. This Policy Rule is set to always Fail if a Palo Alto
device is evaluated.
NET1638
Added Palo Alto logic. The Policy Rule will fail if Telnet or HTTP is
enabled or if HTTPS or SSH is disabled.
NET1645I
Added Palo Alto to SetFilter. This Policy Rule will always raise an Info.
It could not be determined how to configure a Palo Alto device's SSH
authentication timeout.
NET1646I
Added Palo Alto to SetFilter. This Policy Rule will always raise an Info.
It could not be determined how to configure a Palo Alto device's SSH
retry attempts.
NET1647
Added Palo Alto logic. A Palo Alto device will always pass this Policy Rule
because Palo Alto only uses SSH-2.
CHANGES FOR 20170131
====================
NET-IPV6-016
Merged NET-IPV6016E and NET-IPV6016I.
NET-IPV6-022
Deleted. Rule is no longer in STIG library.
NET-IPV6-033
This rule only applies to Cisco devices.
NET-IPV6-065
Merged NET-IPV6065E and NET-IPV6065W.
NET-IPV6-066
Merged NET-IPV6066E and NET-IPV6066W.
NET-IPV6025E
Cisco portion was updated.
NET-IPV6025I
No change.
NET-NAC-001
If an AAA is configured in the config file, this raises an INFO.
On INFO, check AAA server configuration
NET-NAC-004
If an AAA is configured in the config file, this raises an INFO.
On INFO, check AAA server configuration
NET-TUNL-013
Merged NET-TUNL013E and NET-TUNL013I into this rule. The rule will still
check the original NET-TUNL013E logic for Cisco and will pass if L2TP is
NOT set up on the device. This rule will always raise an Info for non-Cisco
devices.
NET-TUNL-033
Deleted. Removed from STIG.
NET-TUNL-034
Merged NET-TUNL-34I and NET-TUNL-34W. Juniper devices will always pass due
to not having L2TPv3 support. Cisco devices will pass if L2TPv3 is not
configured.
NET-VLAN-002
Merged NET-VLAN002E and NET-VLAN002I. Rule requires a manual audit
NET-VLAN-004
Merged NET-VLAN004E and NET-VLAN004I. Rule requires a manual audit
NET-VLAN-005
Merged NET-VLAN005E and NET-VLAN005I. Rule requires a manual audit
NET-VLAN-006
Updated to reflect current STIG.
NET-VLAN-007
Updated to reflect current STIG.
NET-VLAN-008
Updated to reflect current STIG.
NET-VLAN-023
Renamed and updated
NET0340
Moved all vendor logic into the SetFilter. Completed Option A's logic to
include the entire text. PolicyRuleLogic now only checks that either banner
is present in the config file instead of checking if they exist using all
the vendor exclusive commands. For Option B, & is matched by . due to API
limitations in storing an ampersand. Check Content was updated to also have
the text of Option B included.
NET0380
Created missing rule. This STIG requires a manual audit to ensure that
packets are not claiming to be loopback
NET0386
Renamed and updated
NET0422
Merged NET0422E and NET0422I.
NET0431
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0432
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0437
Updated to always pass if AAA is NOT enabled in the configuration files,
otherwise it will raise an Info with instructions to verify the AAA server
configuration.
NET0580
Updated. Policy Rule is for JUNOS only.
NET0700E
Most recent OSes:
Cisco ASA: 9.6(2)
Cisco IOS: 15.6(3)M
Palo Alto Networks PAN-OS: 7.1.7
NET0700I
No change.
NET0710
Updated -- Cisco only Policy Rule.
NET0720
Updated -- Cisco only Policy Rule.
NET0722
Updated -- Cisco only Policy Rule.
NET0724
Updated -- Cisco only Policy Rule.
NET0726
Updated -- Cisco only Policy Rule.
NET0728
Updated -- Cisco only Policy Rule.
NET0742
Updated -- JUNOS only Policy Rule.
NET0745
Created rule. This STIG will raise an Info if all interfaces do not contain
the command "no mop enable" in the configuration. It is possible that this
rule can be a false positive due to the fact that not all versions of IOS
support MOP (although, it appears that there are versions of 15+ that still
suppport this feature).
NET0750
Updated -- Cisco only Policy Rule.
NET0760
Updated the Check Content to reflect the current STIG
NET0780
Updated -- Cisco only Policy Rule.
NET0781
Updated -- Cisco only Policy Rule.
NET0790
Updated -- Cisco only Policy Rule.
NET0813
Changed to always raise an Info. Requires inspection of which network the
NTP server is on.
NET0890a
Added Cisco Check Content in the description. Cisco rule ensures that
Access Lists are set up on the device but cannot verify if they are
connected to the NMS.
NET0918
Updated the Check Content to reflect the current STIG
NET0928
Deleted. Removed from STIG.
NET0940
Deleted. Removed from STIG.
NET0949
Updated -- Cisco only Policy Rule.
NET0965
Updated the Check Content to reflect the current STIG. The Cisco logic is
OKAY, the Juniper Logic probably will not work with the updated Check
Content.
NET0990v8
Created new rule. The old logic of NET0990 does not apply to this new
version of the STIG. The original JUNOS version of NET0990 should be
deleted as it is not even accurate to any STIG.
NET0991
Added the examples for Cisco Routers, Catalyst Switches, and ASA appliances,
and Juniper. STIG requires a manual audit due to the nature of needing to
know which interface is set up for OOBM.
NET0993
Updated. The fail message is now unique to each example that the STIG
provides. If the rule detects that the device evaluated is a Cisco ASA
firewall, it will show the ASA example. If it evaluates another other
Cisco, it will give the IOS example.
NET0994
Added Cisco Check Content to the description and ensures that it will always
flag an Info.
NET1006
Merged NET1006E and NET1006I.
NET1022
Requires a physical inspection of the syslog server to ensure that it is
compliant.
NET1023
Requires interviewing the IAO.
NET1030
There is no way within the PolicyRule XML schema to compare the actual
running configuration with the boot configuration of the device in question
JUNOS is not affected by this STIG item as the active configuration is
stored on flash as juniper.conf.
"JUNOS Procedure: This will never be a finding. The active configuration is
stored on flash as juniper.conf. A candidate configuration allows
configuration changes while in configuration mode without initiating
operational changes. The router implements the candidate configuration when
it is committed; thereby, making it the new active configuration--at which
time it will be stored on flash as juniper.conf and the old juniper.conf
will become juniper.conf.1."
NET1071E
No change.
NET1071I
Updated to always flag an Info for all vendors (Error-version to be deleted)
Requires a Manual Audit to ensure the TFTP server is connected using a
managed network.
NET1299
Deleted. Removed from STIG library
NET1300
Merged NET1300E and NET1300I.
NET1615
Removed F5 logic as F5 cannot use PPP.
By default, PA devices use CHAP and fall back on PPP authentication when
RADIUS or TACACS+ is used.
NET1623
Split into NET1623E and NET1623I.
NET1638
Updated the Description field to reflect the changes in the library. Added
PA logic. Checks to ensure that HTTP and telnet are disabled and that HTTPS
and SSH are enabled.
NET1640
Changed to always raise an Info. The logic that was in the rule previously
does not reflect what the STIG was discussing. Every management connection
requires inspection to ensure that they are being logged correctly.
NET1710
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1720
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1731
Requires interviewing the IAO.
NET1750
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1760
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1762
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1780
SetFilter created to NOT evaluate Cisco, F5, Juniper, or PA devices as they
are not used as NMS. If an vendor other than the supported vendors, the rule
will Fail, informing the admin to check the alarm system for the device
in question.
NET1807
Merged NET1807E and NET1807I.
NETMCAST001
Merged into NETMCAST001I and NETMCAST001W. Cisco devices will pass if
multicast-routing is not enabled, else an Info is raised.
NETMCAST002
Merged into NETMCAST002I and NETMCAST002W. Cisco devices will pass if
multicast-routing is not enabled, else an Info is raised.
NETMCAST010
Created rule. This rule will pass if multicast routing is not enabled on
the device. If it is, it will raise an Info with the STIG example being
raised as the remediation message for Cisco and Juniper devices.
NETMCAST020
Merged NETMCAST020E and NETMCAST020W. This rule will now raise an Info for
Cisco if multicast routing and IGMPv3 are enabled for ipv4 configuration.
An Info will also be raised for Cisco if multicast routing and ipv6
addresses are configured.
UPDATED WITHOUT MAJOR CHANGES
=============================
NET-IPV6-004
NET-IPV6-008
NET-IPV6-026
NET-IPV6-027
NET-IPV6-028
NET-IPV6-029
NET-IPV6-030
NET-IPV6-031
NET-IPV6-032
NET-IPV6-034
NET-IPV6-059
NET-NAC-009E
NET-NAC-010
NET-NAC-012
NET-NAC-031
NET-NAC-032
NET-TUNL-019
NET-TUNL-17
NET-TUNL-20E
NET-VLAN009E
NET0190
NET0230
NET0240E
NET0366
NET0375
NET0388
NET0391
NET0392
NET0400v8
NET0405
NET0408
NET0410
NET0425
NET0433
NET0440E
NET0441E
NET0600
NET0730
NET0740
NET0744E
NET0770
NET0800E
NET0812
NET0820a
NET0894
NET0897E
NET0898E
NET0899E
NET0900E
NET0901E
NET0902
NET0903E
NET0910E
NET0911E
NET0912E
NET0923
NET0924
NET0927
NET0950
NET0960E
NET0966E
NET0987E
NET0992E
NET1005
NET1007E
NET1008E
NET1020
NET1021
NET1027
NET1616
NET1617
NET1624
NET1629E
NET1636
NET1637
NET1639E
NET1645E
NET1646E
NET1647
NET1660
NET1665E
NET1800
NET1970
NETMCAST009
RULES REQUIRING MANUAL AUDITING
===============================
NET-IPV6-005
NET-IPV6-006
NET-IPV6-010
NET-IPV6-011
NET-IPV6-017
NET-IPV6-024
NET-IPV6-035
NET-IPV6-047
NET-IPV6-048
NET-IPV6-060
NET-IPV6-061
NET-IPV6-062
NET-IPV6-063
NET-IPV6-064
NET-NAC-009I
NET-TUNL-001
NET-TUNL-002
NET-TUNL-003
NET-TUNL-004
NET-TUNL-006
NET-TUNL-007
NET-TUNL-012
NET-TUNL-20I
NET-VLAN-024
NET-VLAN009I
NET0162
NET0164
NET0166
NET0167
NET0240I
NET0377
NET0379
NET0390
NET0395
NET0396
NET0398
NET0412
NET0434
NET0435
NET0436
NET0438
NET0440I
NET0441I
NET0460
NET0465v8
NET0470
NET0744I
NET0800I
NET0802
NET0814
NET0815
NET0816
NET0817
NET0819
NET0892
NET0897I
NET0898I
NET0899I
NET0900I
NET0901I
NET0903I
NET0910I
NET0911I
NET0912I
NET0920
NET0921
NET0926
NET0960I
NET0966I
NET0985
NET0986
NET0987I
NET0988
NET0989
NET0992I
NET0995
NET0996
NET0997
NET1000v8
NET1001
NET1003
NET1004
NET1007I
NET1008I
NET1288
NET1289
NET1629I
NET1639I
NET1645I
NET1646I
NET1665I
NET1675
NET1732
NET1733
NET1734
NET1808
NETSRVFRM003
NETSRVFRM004
NETSRVFRM005
- END README -
MD5
================
a3ca1cfd33dc5fa0172c7051ff6f8a58 U_SRG-STIG_2018_07_Update.tar.gz
Categories
- All Categories
- 5.1K Forums
- 4.6K Critical Network Services
- 463 Security
- Visibility and Insights
- Ideas Portal
- Webinars & Events
- 266 Resources
- 266 News & Announcements
- Knowledge Base Articles
- Infoblox Documentation Portal
- Infoblox Blog
- Support Portal
- 4 Members Hub
- 4 Getting Started with Community
- Community Support